Tag: WSUS error

The following procedure apply if you have an existing WSUS server installed on a Windows 2008 R2 OS with SQL Express and you wish to migrate to Windows Server 2012 R2 WSUS server and a separate backend database server.

Step1: Backup SQL DB of Old WSUS Server

Log on to existing WSUS server. Open SQL Management Studio>Connect to DB>Right Click SUSDB>backup full database.

Step2: Export metadata from old WSUS Server

The WSUS Setup program copies WSUSutil.exe to the file system of the WSUS server during installation. You must be a member of the local Administrators group and WSUS Administrator Group on the WSUS server to export or import metadata. Both operations can only be run from the WSUS server itself and during the import or export process, the Update Service is shut down.

Open command prompt as an administrator>go to C:\program Files\Update Services\Tools

Issue wsusutil.exe export c:\export.cab c:\export.log command

Move the export package you just created to the new Microsoft WSUS Server.

If you have .netFramework v.2 or v.4 but not configured in IIS Application. Then most likely above command will fail giving you some grief. Here is a solution for this.

Verify that WSUS is configured to use the .NET4 libraries in IIS>Application Pool

Create a file named wsusutil.exe.config in C:\Program Files\Update Services\Tools

Virtualize a new Windows Server 2012 R2 Server. Setup static IP, Join the server to domain. Install .NetFramework 4 in new server.Do not Configure WSUS at this stage. Go to Step4.

Step4: Restore SQL DB in New SQL Server (Remote and/or Local )

Log on to SQL Server. Open SQL Management Studio>Create a Database named SUSDB

Restore old SUSDB to new SUSDB with override option.

Assign sysadmin, setupadmin role to the person who will install WSUS role in new WSUS server.

Step5: Install WSUS Role & Run Initial Configuration Wizard.

Installation of WSUS

 Log on to the server on which you plan to install the WSUS server role by using an account that is a member of the Local Administrators group.

 In Server Manager, click Manage, and then click Add Roles and Features.

 On the Before you begin page, click Next.

 In the Select installation type page, confirm that Role-based or feature-based installation option is selected and click Next.

 On the Select destination server page, choose where the server is located (from a server pool or from a virtual hard disk). After you select the location, choose the server on which you want to install the WSUS server role, and then click Next.

 In Server Manager, verify if a notification appears to inform you that a restart is required. This can vary according to the installed server role. If it requires a restart make sure to restart the server to complete the installation.

Post Configuration

Open Server Manager>Add/Remove program. It will provide you with previous installation Wizard. Launch Post Configuration Wizard.

 On the Welcome page, click Next.

 On the Installation Mode Selection page, select the Full server installation including Administration Console check box, and then click Next.

 Read the terms of the license agreement carefully. Click I accept the terms of the License agreement, and then click Next.

On the Select Update Source page, you can specify where client computers get updates. If you select the Store updates locally check box, updates are stored on WSUS, and you can select a location (E:\WSUS) in the file system where updates should be stored. If you do not store updates locally, client computers connect to Microsoft Update to get approved updates.

Make your selection, and then click Next.

On the Database Options page, you select the software used to manage the WSUS database. Type <serverName>\<instanceName>, where serverName is the name of the server and instanceName is the name of the SQL instance. Simply type remote or local SQL Server Name and then click Next.

On the Web Site Selection page, you specify the Web site that WSUS will use to point client computers to WSUS. If you wish to use the default IIS Web site on port 80, select the first option. If you already have a Web site on port 80, you can create an alternate site on port 8530 by selecting the second option. Make your selection, and then click Next.

 The final page of the installation wizard will tell you whether or not the WSUS 3.0 installation was completed successfully. The final page of the installation wizard will tell you whether or not the WSUS 3.0 installation was completed successfully. After you click Finish the configuration wizard will be launched.

To back up updates from file system of old WSUS server to a file, follow these steps:

On your old WSUS server, click Start, and then click Run.

In the Run dialog box, type ntbackup. The Backup or Restore Wizard starts by default, unless it is disabled. You can use this wizard or click the link to work in Advanced Mode and use the following steps.

Click the Backup tab, and then specify the folder where updates are stored on the old WSUS server. By default, WSUS stores updates at WSUSInstallationDrive:\WSUS\WSUSContent\.

In Backup media or file name, type a path and file name for the backup (.bkf) file.

Once completed, move the backup file you just created to the new WSUS server.

To restore updates from a file to the file system of the new server, follow these steps:

On your new WSUS server, click Start, and then click Run.

In the Run dialog box, type ntbackup. The Backup or Restore Wizard starts by default, unless it is disabled. You can use this wizard or click the link to work in Advanced Mode and use the following steps.

Click the Restore and Manage Media tab, and select the backup file you created on the old WSUS server. If the file does not appear, right-click File, and then click Catalog File to add the location of the file.

In Restore files to, click Alternate location. This option preserves the folder structure of the updates; all folders and subfolders will appear in the folder you designate. You must maintain the directory structure for all folders under \WSUSContent.

Under Alternate location, specify the folder where updates are stored on the new WSUS server. By default, WSUS stores updates at WSUSInstallationDrive:\WSUS\WSUSContent\. Updates must appear in the folder on the new WSUS server designated to hold updates; this is typically done during installation.

Set the intranet update service for detecting updates box and in the Set the intranet statistics server box. With the new server details and port For example, type http(s)://newservername :Port in both boxes.

Step10: Invoke GPUpdate

Open PowerShell command prompt as an administrator in any computer. Run Invoke-GPUpdate Servername to synchronise server with new WSUS Server.

2013-11-21 09:43:36 Config file did not contain a value “ContentDirectory”2013-11-21 09:43:36 Microsoft.UpdateServices.Administration.CommandException: A required configuration value was not found in the system. This is usually caused by installing WSUS through PowerShell and not specifying a configuration file. Review the article Managing WSUS Using PowerShell at TechNet Library (http://go.microsoft.com/fwlink/?LinkId=235499) for more information on the recommended steps to perform WSUS installation using PowerShell. at Microsoft.UpdateServices.Administration.PostInstall.GetConfigValue(String filename, String item)

Issue: This is a known issue on Windows Server 2012. Microsoft WSUS team posted an work around to resolve the issue.

Solution: In the WSUS server, open PowerShell, type the following depending on which database you have:

Here content_dir is your real directory where you would like to install WSUS and pointed that directory during WSUS installation and rest are self explanatory. Once you do that you will see output in the logs available in C:UsersthermomixadminAppDataLocalTemp directory.

This article provides actionable advice about how to manage patches to reduce downtime while still maintaining the security of software services through the proactive reduction of dependencies and the use of workaround solutions.

Patching Requirements

Windows Server patches, hotfixes and service pack is critical for compliance, service level agreement and security purposes. Keeping an operating systems and application up to date is the key to align your infrastructure with latest software. Patches and hotfixes also enable you to prevent any security breaches and malware infection.

Consultants should take time to test the patches in a non-production environment prior to being deployed to production. This will help to gauge the impact of such changes. Ideally you will have the following patching groups:

1. UAT (UAT1, UAT2, etc)

2. Test Environment (Test1, Test2, etc)

3. Development Environment (Dev1, Dev2 etc)

4. Production (Prod1, Prod2, etc)

If you have clustered environment like SQL, Exchange and SharePoint then create Prod1, prod2 group and place each node on each group.

Change Management

System administrators should maintain a log, written or electronic, of all changes to the operating environment, to include hardware, system security software, operating system, and applications. Prior to any changes being implemented on a system, the system administrator should receive approval of stakeholders.

Backup

Why am I discussing backup with patching best practice? In case of emergency you can rollback completely and restore a server to its original state if necessary. It is very important that servers be backed up on a regular basis. Depending on the use of the server, it may be adequate to backup the server once per week. A backup of a more critical environment may be needed daily, and possibly continuously. The backup program provided with Windows is capable of backing up to virtually any writable media, which can include network drives provided by a server in another physical location. This program is also capable of scheduling backups which can ensure backups occur on a regular interval.

Microsoft strongly recommends that you create the following backups before you install an update rollup, service pack and patch on Exchange and SQL:

A full backup of all databases on the server.

A full backup of transaction log and log backup

A system state backup of the server.

A snapshot of virtualized exchange server. Delete snapshot after successful patching and updating.

Application Compatibility

Read release notes of each hotfixes you are going to apply so that you are compliant with the application installed on the server. Consult with application vendor before applying service pack to any server if the server is hosting specific business application. Consult with application engineer about the importance of server patching. Inform and educate application engineer as much as possible to avoid conflict of interest.

Documentation

Documentation released with the updates is usually in the form of web pages, attached Word documents and README.TXT files. These should be printed off and attached to change control procedures as supporting documentation.

Back out Plan

A back-out plan will allow the system and enterprise to return to their original state, prior to the failed implementation. It is important that these procedures are clear, and that contingency management has tested them, because in the worst case a faulty implementation can make it necessary to activate contingency options. Historically, service packs have allowed for uninstalling, so verify there is enough free hard disk space to create the uninstall folder. Create a back out plan electronically and attach with change management software.

User Notifications

You need to notify helpdesk staff and support agencies of the pending changes so they may be ready for arising issues or outages.

Consistency across Servers

Always install the same service packs or hotfixes to each SQL server node, Exchange DAG member and Domain Controller.

Routine Maintenance Window

A scheduled maintenance window must be agreed with business so that application outage and server reboot can maintain a respectable Service Level Agreement (SLA). If you have a large infrastructure with thousands of servers and many regions working round the clock then you must consider application dependencies. A patching schedule can be considered in between every Friday of every month at 6:00 P.M. Friday to 6:00 A.M Monday. Setup maintenance window in system center or deadline for WSUS to make sure patches are applied when you want instead of when patch is available. In this way you will have a complete control over change windows approved by change advisory board (CAB). Do not allow end users to update patches on their client machine according to their wishes and happiness! then user will never install any patch.

Patching Tools

I strongly recommend that you spend few $$$ to buy Microsoft System Center 2012 to manage and deploy Windows patches, service pack and hotfixes. However you can use Windows Server Update Services (WSUS) as poor man’s patching solutions.

Automated patch management using System Center could enable a single IT administrator to access a pre-populated patch policy. He then could execute the command and with the press of a single button, download the patches from Microsoft’s website, install them on a test machine and test for compatibility issues. Meanwhile, an automatic inventory check could search for systems with the affected software, wake them up, check their readiness and push the verified patches out to waiting machines. The patches would then be automatically installed on each system, and they’d reboot as necessary. The final step is an automated report on the status of the remediated devices.

Standardize Patch Management Processes

Standardized patch management processes could allow for daily assessment and remediation of client devices and weekly assessment and remediation for servers. Reports can then be generated to validate system status on a weekly or bi-weekly schedule. A systems monitoring task that used to take days now takes minutes, and patches are deployed more completely and consistently across the entire IT environment. A single IT administrator can proactively manage thousands of systems tasks in the same amount of time it took an entire team to do the tasks manually.

Reboot Windows Computer

Some application may require reboot of server before patching such as RSA Secure Console. However most of the server must be rebooted after patching. Do not suppress reboot after patching in any circumstances or you will have a messy environment and broken clusters.

X86 and X64 Windows Systems

The most prominent 32-bit application you’re likely to see on a 64-bit Windows system is Office. In this sort of situation System Center benefits most because you can adjust and make decision based on architecture and compliance as well. You can approve patches based on “Needed and Not Installed”. If a server or client need update it will install if not then it will not installed. It’s safe to do so.

Antivirus and Antispyware

Servers are vulnerable to many forms of attack. Implementation and standardization of security methods should be developed to allow early and rapid deployment on servers. It’s important that a Windows server be equipped with a latest centrally managed Antivirus program. Antivirus update must be scheduled with the same maintenance window to update antivirus with latest definition.

Audit Practices

Servers have a powerful auditing feature built in. Typically, server managers would want the auditing system to capture logins, attempted logins, logouts, administrative activities, and perhaps attempts to access or delete critical system files. Auditing should be limited to gathering just the information that is needed, as it does require CPU and disk time for auditing to gather information. Log Management software should be used, if possible, for ease of managing and analysing information. Report can be generated from Systems Center and WSUS as proof of patching cycle.

Log Retention

Servers keep multiple logs and, by default, may not be set to reuse log file entries. It is a good practice to expand the size of the allowed log file and to set it to reuse space as needed. This allows logging to continue uninterrupted. How far back your log entries go will depend on the size of the log file and how quickly you are accumulating log data. If your server environment is critical, you may wish to ensure that the log file size is sufficient to store about 30 days of logging information, andthen rotate log files once per month.

Installing Updates on a single Exchange Server

Download Exchange Update from Microsoft Download Center. Record Current Exchange Version information

After the update rollup installation is complete, select the Check for publisher’s certificate revocation option in Internet Explorer. See “Certificate Revocation List” earlier in this topic.

Check Exchange 2010 version information

View Update rollup in Control Panel>Programs and Features

Patching Microsoft Failover Cluster

You can install Windows service packs on Windows Server Failover Cluster nodes using the following procedure. Administrative privilege is required to perform the following tasks.

Procedure to install Windows service pack or hotfixes in Windows Server 2003:

Check the System event log for errors and ensure proper system operation.

Make sure you have a current backup and updated emergency repair disk for each system. In the event of corrupt files, power outage, or incompatibility, it may be necessary to revert back to the state of the system prior to attempting to install the service pack/hotfixes.

Expand Node A, and then click Active Groups. In the left pane, right-click the groups, and then click Move Group to move all groups to Node B.

Right-click each group, click Move Group, and then move the groups back to their preferred owner.

Procedure to install Windows service pack or hotfixes in Windows Server 2008 and Windows Server 2012:

Check the event log for errors and ensure proper system operation.

Make sure you have a current backup and updated emergency repair disk for each system. In the event of corrupt files, power outage, or incompatibility, it may be necessary to revert back to the state of the system prior to attempting to install the service pack/hotfixes.

On Node A, Expand Services and Applications, and then click the service or application

Under Actions (on the right), click Move this service or application to another node, then choose the node or select Best possible.

In the Failover Cluster Manager snap-in, right-click Node A, and then click Pause.

Install the service pack/hotfixes on Node A, and then restart the computer.

Check the event log for errors. If you find any errors, troubleshoot them before continuing this process.

Under Actions (on the right), click Move this service or application to another node, then choose the node.Note: As the service or application moves, the status is displayed in the results pane (in the center pane). Follow the Step 9 and 10 for each service and application configured on the cluster.

Install the service pack/hotfixes on Node B, and then restart the computer.

Check the event log for errors. If you find any errors, troubleshoot them before continuing this process.

From the Failover Cluster Manager snap-in, right-click Node B, and then click Pause.

Group Policy: Group Policies are the easiest way to configure automatic update settings for client systems in an Active Directory environment. To check WSUS policy has been applied or not, log on to client computer. Open command prompt>type gpresult.exe>hit enter. You will be presented with a list applied GPO in that machine including WSUS policy. Alternatively, you can do the followings.

1. Click Start>Administrative Tools>Group Policy Management. The Group Policy Management Console will come up. 2. At the bottom of the Console Tree, you will see a node called Group Policy Results. Right-click on it and choose Group Policy Results Wizard. 3. It will come up to the Welcome to the Group Policy Results Wizard screen. Just click Next. 4. Now you will come to the Computer Selection screen. You have the choice of This computer or Another computer. Now click Next.

5. Now you can select a specific user or check Do not display policy settings for the selected computer in the results (display user policy settings only). Since you are only interested in whether the Updates GPO has run, you will not select a user. 6. Next the Summary of Selections screen comes up, allowing you to review your selections. Once you’ve verified them, click Next and the Completing the Group Policy Results Wizard will come up. Click Finish.

7.at the right, under Summary, click on Group Policy Objects> Applied GPOs. You should see the list of applied GPOs. In this case you are looking for the GPO WSUS Updates.

E-mail Notifications: WSUS 3.0 can send e-mail notifications of new updates and provide status reports to an administrator. To set this up do the following: 1. Create a user account for the WSUS server to use as an e-mail account. For instance, in our example we created a user account with a mailbox in our domain called WSUS. 2. Now open the WSUS Administrative Console, go to Options in the Console Tree area, then in the Details Pane select E-mail Notifications. 3. In the General tab of E-mail Notifications, as seen in Figure 3.59, put a check beside Send e-mail notification when new updates are synchronized and type the e-mail addresses of the recipients. If you have more than one recipient, separate them by commas. 4. If you are sending status reports to these recipients, put a check beside Send status reports. Select the frequency with which each report is sent (Weekly or Daily) and the time the reports are to be sent, and type in the names of the recipients. You can also select which language you wish the reports to be sent in.

5. Now that the information on the General tab is complete, go to the E-mail Server tab and enter the information about the SMTP server, its port number, the sender’s name and e-mail address, and the username and password of the user that you created for the WSUS account earlier. 6. Once you’ve entered the correct information, click the Test button to verify your settings are correct. If everything looks correct, click OK and you’re done.

Personalization : If you want to personalize the way information is displayed for a WSUS server you can do so by clicking on Personalization within Options. This option allows administrators to choose how server rollup data is displayed, what items will be listed in the To Do list and how validation errors are displayed.

Automatic Approvals: The Automatic Approvals option allows an administrator to automatically approve updates to be installed based on product and classification, and gives the ability to target which computers to set the automatic approval for. Automatic approvals are based on rules.

1. To create a new rule, first click on Automatic Approvals, found in Options. 2. In the Update Rules tab, select New Rule.

3. There are two steps in the Add Rule box. The first step is to select properties. For our example, we chose an update based on product, so we selected When an update is in a specific product. We could also specify a certain classification if we wanted to. Type Name of Rule such as Windows 7 Approval 4. The second step is to edit the properties or values. Click on the link for any product and in the list of products remove the check from All Products. Now scroll down to the listing for Windows and select Windows 7 Client. Click Approve the update for link and select Windows 7 Computer Group, Click when update is in and select update rollups, features or whatever you need. When click OK. 5. We are now back at the Add Rule box. Click Windows 7 approval rule>click run rule.

6. Repeat step2 to step 5 for all other computer groups such windows server 2008 x64.

Are you straggling to troubleshoot WSUS server. Those who followed the steps, I mentioned in my previous posting Install and Configure WSUS—Step by Step but couldn’t get it going and still got issue with deployment. you might have few issues with WSUS. Here are solutions for you.

Client not showing in WSUS Server:

There are several reasons client don’t pop up in WSUS server. a) GPO and WSUS miss-configured. b) Proper prerequisite has not been meet both for server and client as I mentioned in my post.

Log on to WSUS sever as Domain Admin. Open WSUS Console>Option>Computers>Select use group policy or registry settings on computers>Apply>ok.

Are all the computers and Server pointing proper client target group as you mentioned in GPO? Did you configure parent GPO and computers pointing child GPO??? Check group policy object using GPO management console to find out any miss-configuration!!! Make sure the computer you are looking WSUS console is placed in right GPO. Run gpresult.exe from command prompt to find out computer and user config. Wait until GPO refresh time and you will see client in WSUS console.

Another way to see client quickly in WSUS console is to log on to Windows XP SP2 (Must have SP2) client. Run WUAUCLT /DETECTNOW and GPUPDATE /FORCE from command prompt. Reboot client. Log back again.

Another critical point to note here, don’t use default configuration port that is 80. Use port 8530 because in ISA server or corporate firewall might be pointing this port to corporate web site unless web publisher added in ISA.

WSUS database full of BugCheck Dump causing WSUS to stop functioning:

***This file is generated by Microsoft SQL Server version 9.00.4035.00 upon detection of fatal unexpected error. Please return this file, the query or program that produced the bugcheck, the database and the error log, and any other pertinent information with a Service Request***

***Stack Dump being sent to c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\SQLDump0154.txt***

I am one of the victim of this SQL error. This will occupy entire disk space in system partition causing WSUS to stop working. This error got nothing to do with WSUS. This is purely SQL problem. It happens when WSUS is running long and you don’t run clean up wizard to clean database and WSUS. I have to be honest here. I am not an SQL Expert. I found some clues by searching books and google, this SQL error occur when SQL index is corrupt. I logged to SQL server using management studio express and follow this Microsoft link and run DBCC CHECKDB. But this will not solve this issue. Basically, SQL database is screwed. You have to backup database, reinstall WSUS and restore will solve this issue. But my best suggestion would be fresh installation of everything….. start from scratch.

Connection Error

“An error occurred trying to connect the WSUS server. This error can happen for a number of reasons. Check connectivity with the server. Please contact your network administrator if the problem persists. Click Reset Server Node to connect the server again.”

Reason: WSUS-related Web services (IIS) may stop working when you upgrade a Windows Server 2003-based computer to Windows Server 2008

Solutions:

Verify that the Update Services service, IIS and SQL are running on the server. If the problem persists, try restarting IIS, SQL, and the Update Services Service.

Try removing the persisted preferences for the console by deleting the wsus file under C:\Documents and Settings\%username%\Application data\Microsoft\MMC\

To work around this problem, uninstall the ASP.NET role service in IIS, and then use Service Manager to reinstall the service. To do this, follow these steps:

WSUS debug tools Download WSUS debug tools from Microsoft WSUS sites. Extract Clientdiag.exe in client machine and WSUS server diagnostic tools in WSUS server. In both case extract in %windir%\system32 location. Open command prompt>change directory to %windir%\system32. Run clientdiag.exe (client machine) and wsusdebugtool.exe (WSUS server) from command prompt. You can run both in wsus server to test whether wsus server is contacting itself for update or not. If you see checking machine state PASS that means client is contacting wsus.

WSUS is flexible enough to deploy starting from small to enterprise organisation. just you need to make sure active directory, DNS and DHCP working perfect. If port 80 is occupied by your company web site you can use port 8530. I used port 8530 on WSUS server. I have ISA 2004 so I will show how to add WSUS publishing rule in ISA 2004 also.

Install Prerequisites

1. IIS installation

go to add/remove windows component and select Application server

click next

Select as above. you must select ASP.net and IIS, then check Internet Information Services and click Details.

Click on start connecting and wait until finish, click next and follow the config screen to select your language, products, classification

wait until synchronisation finish. It might take 30/40 minutes depending on speed of your internet.

Setup IIS Security

Now set permission in IIS in WSUS server, you may set anonymous logon. Don’t worry its inside your firewall.

Configure WSUS

open WSUS management console. In the Left hand side pan, click on Options then click on Change Update File and Language. Check Download Update files to the server when updates are approved. Select appropriate language. Then Click Apply and Ok.

Click on Automatic Approval and create new rules and run the rules. In my case I have two custom rules.

In the left hand side pan right click on All Computers, Click on Add Computer Group. For example, I have three computer groups; desktop, Windows7 and Server.

Group Policy Configuration

This part describes how to use GPO to deliver Automatic Updates

Open group policy management console, Right click on the Group policy objects container and click new. create policies for each of computer groups. For Example, WSUS Policy for desktop, WSUS Policy for Windows 7 and WSUS Server policy.

Now right click on WSUS policy that is desktop policy you just created and change settings of four GPO that are enabled here on screen

Check enabled in following box not to reboot machine if user logged on

Repeat this process for WSUS server policy, Windows 7 Policy and so on.

In GPO management console, Right click on the organisational unit that contain desktop/workstation and link existing WSUS policy you created in above steps with this organisational unit.

Link it with WSUS policy

Repeat same steps for all other organisational unit in GPO management console. Now you may close GPO now.

Important! Do NOT link WSUS policy in child OU. Link directly to the top of OU hierarchy otherwise workstation will not populate.

Publish WSUS policy in ISA Server

If you have ISA 2004/2006 or Forefront TMG 2010, you have to set WSUS policy in ISA firewall access rule. so that ISA doesn’t block communication between server and client. You don’t need to do it if nothing blocking between Client and Server communication and don’t have a firewall.

To publish WSUS policy, Open ISA management console

Go to Network Object and expand WEB listener, right click on web listener click new. Type Name of WSUS server. Name should be netbios name of WSUS server. Follow the screen shot.

Click next, click finish.

In the right hand side Tasks Pan, Click on publish a web server and follow the screen shot

On the next screen shot select the web listener (WSUS server) you added in the previous steps.

Right click on the WSUS Publishing policy, click on property>Click Bridging Tab and check web server and port 8530

On the paths add these path if these aren’t exist already

uncheck verify and block option. Apply Changes and click ok.

Troubleshooting

Go to client machine, run gpupdate /force if client not showing on WSUS

Auto update and patch up gives administrator more time to concentrate other things without spending time on patching up servers and pc. I enjoyed deploying WSUS. I hope these instruction would be handy for you.